WEST PALM BEACH, Fla. — Cyber criminals are smarter than ever, both in their technical prowess and their ability to con members into handing over confidential information.
That's according to participants in an exclusive Credit Union Journal online-fraud roundtable.
In light of the dim economy, representatives from the CUNA Technology Council and two fraud-savvy CUs took time to tell credit unions what to watch for — and what to hope for — in the world of cybercrime. In addition, the Credit Union Information Security Professionals Association (CUISPA) shared results from this month's member survey on online fraud.
Credit Union Journal: What's the biggest threat in online fraud right now?
Robert Reh: Social engineering seems more prevalent than mechanized attacks. With today's economy, members are more desperate and more gullible. Fraudsters can use social networks to convince members to give them information and data mining can be used to automatically capture the data.
Margaret Mucker: We're seeing more social engineering of staff than we've ever seen. Members are using social media sites and telling the world anything you'd want to know. Fraudsters can use that information to contact our call center and make the staff believe they're the real person.
Kelly Dowell: The scams vary greatly, from stolen ATM cards to hijacked online sessions. Card fraud still produces the largest losses overall. Social engineering, especially phishing and its variants, presents the greatest challenge, said many CUISPA members who participated in the survey.
CUJ: What are the trends you're seeing in online fraud?
Reh: If you look at attempts to get through our firewall, there's been some increase in online fraud activity. Fortunately, this upsurge in online fraud attempts has not resulted in more actual fraud.
Fred Shuherk: Fraudsters have a bigger pool of members to take their bait because of the economy. There's the PayPal scams, the Nigerian email crimes...a member who is a 24-year old engineer and a pretty bright guy wired $1,200 to a fraudster who promised to wire back $6,000. There's no way for me to stop that member — that was social engineering; the fraudster didn't even hack his account.
The volume of our online fraud alerts is bigger, but it's not outpacing our growth. We'd like to say that online fraud hasn't grown exponentially because of our technologies. But we don't know what's coming next from the hackers.
Mucker: At ATMs and branches, we're seeing an increase in check fraud, which had almost gone away. Regular people are reverting back to the old methods of committing fraud because of the economy.
Brozycki: The technical expertise of the fraudster seems to be increasing. We expect this to continue regardless of the economy but perhaps accelerated by it. There are likely talented individuals getting involved in fraud who might otherwise be applying their skills in a positive way, were there more jobs available.
Some criminals are using technologies such as voice-altering software and multiple, disposable cellular phones. A single person can represent himself as multiple people and keep several identities straight, even if he receives multiple calls at the same time.
Malware continues to get more refined. Criminals have figured out that taking small card payments from many people can allow their activity to go unnoticed but provide high yields. This is starting to be applied to online fraud. Voice phishing scams sent as text messages to cell phones seem to be on the rise.
Dowell: I agree with CUISPA members that ACH fraud will be a problem, as well as non-bank financial sites that hold account credentials. Phishing is on the rise, and in particular, phishing via phones (vishing/smishing), according to a number of CUISPA members.
CUJ: Are member losing confidence in online services because of cybercrime?
Dowell: I think consumers are getting more confident. This is somewhat apparent from the successes of online stores and sites like Mint and Facebook that collect confidential data. People aren't shying away from those, despite the risks. Some CUISPA members seem to agree and are seeing an increase in the use of online services. Some said they have bolstered member confidence with security enhancements and by quickly responding to scams.
CUJ: What technology would you wish for to further reduce cybercrime?
Mucker: An online and email pop-up window that asks members to confirm whether they're sure they want to submit sensitive information and tells them to call their credit union first.
Also, the ability to troubleshoot members' virus protection and run scans for malware on their PCs.
Brozycki: Something that would allow for better communication and information sharing among all financial institutions. There's no way to predict all the emerging threats, but if you could learn about them immediately after they were used elsewhere, it could help you protect your institution. I'm sure there are financial institutions being hit right now by fraud that is new to them that other FIs experienced months ago.
CUJ: What actions can credit unions take to prevent online fraud?
Brozycki: We have our systems, our procedures and our people. You need all three — technology alone can't solve it. We've been working with our card vendor to implement some new anti-fraud offerings, implementing a fraud detection system internally and implementing new processes for detecting fraud based on criminal patterns that we've seen.
Reh: Bring members into the branch to talk about how online services can actually help prevent fraud.
Shuherk: Groom members to know that the credit union doesn't include links in any emails. If there's a link in an email, members know it's not from Star One CU. Also, when fraudsters social-engineer the call center, Guardian Analytics can alert you if the next account login is from an unexpected geolocation, computer or time.
Mucker: Guardian pays for itself, both in protecting us from fraud and from reputation risk.
Members of the Journal Roundtable
Robert Reh, executive committee member, CUNA Technology Council, and CIO at $334-million Nassau Financial FCU in Westbury, N.Y.
Nassau Financial's Anti-Online Fraud Tech: multi-factor authentication for homebanking; identity verification for account openings; email validation system (SPF); firewalls; third-party penetration testing
Quote: "Social engineering is being accomplished very easily, and members are being convinced to provide information to fraudsters. It's amazing what people will say on the online social networks."
Margarete Mucker, VP-remote services, and Fred Shuherk, Web services manager, $4.8-billion Star One CU in Sunnyvale, Calif.
Star One's Anti-Online Fraud Tech: similar to Nassau Financial, plus protection against phishing, pharming and Trojan attacks; member authentication for high-risk transactions; plus "favorite and most effective tool": behavior-based fraud detection from Guardian Analytics
Quote: "With Guardian Analytics, we're pretty sure we've reduced online banking wire- transfer fraud to zero."
John Brozycki, information security officer, $2.7-billion Hudson Valley FCU in Poughkeepsie, N.Y.
HVFCU's Anti-Online Fraud Tech: a "mixture" of vendor and in-house solutions. "We'd rather not disclose the exact details, but there's a constant adjustment as fraud continues to change."
Quote: "We think that criminals will continue getting better at monetizing all of the information they can steal."
Kelly Dowell, executive director, Credit Union Information Security Professional Association (CUISPA)
Quote: "There has been an increase in fraud. The economy probably does have some impact, but if you look at history, fraud has been increasing year over year."